Cyber Security: If You Don’t Know the Mission, You Don’t Know the Risk

Like the good cyber security stewards we are, we regularly inventory our assets, assess known vulnerabilities, and stay abreast of the latest threat intelligence. So we know our risk, right? Not necessarily.

When assessing risk, many cyber security professionals think of the technological impact, such as webserver downtime or the inability to deliver email. The truth is the impact is on the organization’s mission. For instance, when a denial of service attack hits the company’s ecommerce site, the impact is the loss of revenue and customer loyalty.

Many cyber security professionals express frustration with not being able to effectively communicate their concerns to upper management. They may use tools and systems that measure the technological components of risk, and they are able to show beautiful graphs that demonstrate the change in that risk over time. However, in order to really assess and communicate risk, the assets they monitor must be tied to something tangible and valuable to the organization. There are a few ways to go about this.

The National Institute of Standards and Technology (NIST) in Special Publication 800-39 advises cyber security professionals to see the organization in three tiers: an organizational level (tier 1), a mission/business process level (tier 2) and an information system level (tier 3). When assessing risk affecting an information system, NIST recommends tying the asset to a business process at tier 2. That business process, in turn, supports an organizational mission at tier 1.

Finally, the Software Engineering Institute’s CERT Resilience Management Model is a capability maturity model built on the structure of the Capability Maturity Model-Integrated (CMMI) family. CERT-RMM focuses on building an organization’s operational resilience and centers around a process of:

Identifying the organization’s high-value services (i.e., functions that enable the organization to meet its strategic objectives, such as ecommerce, billing or logistics).

Identifying the organization’s assets (people, information, technology, facilities and supply chain), and then assessing the dependencies between those assets and high-value services.

By creating connections between what we are defending and the consequence to the organization, the conversation with business leaders changes. We are now speaking the same language. They may not understand the technological underpinnings of the risk. That is our job. However, when we make recommendations for new capital investments, personnel structure changes and organizational-culture changing communications, we have a place in the middle where we can meet: the mission impact.